ELMA365 On-Premises > Other > Configuration / Create a self-signed SSL certificate to use HTTPS

Create a self-signed SSL certificate to use HTTPS

Starting with Chrome version 58 and Firefox version 48, using certificates without specifying the SAN (Subject Alternative Name) attribute will cause the “Your connection is not secure” error.

начало внимание

Self-signed SSL certificates don’t provide reliable data protection against malicious users. We recommend using SSL certificates that are issued from trusted certificate authorities like Comodo, Symantec, Thawte, etc.

конец внимание

To generate an SSL certificate with the SAN attribute, make sure you have OpenSSL installed in your system and do the following:

 

  1. Create a root CA certificate. It will be used to issue other certificates. Fill out the form that appears. When prompted, enter the Common Name that is the fully qualified domain name of your server:

# sudo openssl genrsa -des3 -out /etc/ssl/private/rootCA.key 2048
# sudo openssl req -x509 -new -nodes -key /etc/ssl/private/rootCA.key -sha256 -days 365 -out /etc/ssl/certs/rootCA.pem

 

  1. Create the /ext/ssl/v3.ext configuration file with the following content (where mydomain.com is the fully qualified domain name of your server):

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
 
[alt_names]
DNS.1 = mydomain.com

  1. Create a self-signed certificate using the configuration file and the root certificate. Fill out the form that appears. When prompted, enter the Common Name that is the fully qualified domain name of your server:

sudo openssl genrsa -out /etc/ssl/private/selfsigned.key 2048
sudo openssl req -new -key /etc/ssl/private/selfsigned.key -out /etc/ssl/certs/selfsigned.csr
sudo openssl x509 -req -in /etc/ssl/certs/selfsigned.csr -CA /etc/ssl/certs/rootCA.pem -CAkey /etc/ssl/private/rootCA.key -CAcreateserial -out /etc/ssl/certs/selfsigned.crt -days 365 -sha256 -extfile /etc/ssl/v3.ext

 

  1. Add rootCA.pem to the trusted root certificate list.
  2. For ELMA365 installation or update, the selfsigned.key private key and selfsigned.crt certificate are used on the server.
  3. If a new certificate is issued, you need to renew the certificates by running the following command:

sudo elma365ctl reload-cert

Found a typo? Highlight the text, press ctrl + enter and notify us